Data integrity, Pharmaceutical industry, Good Manufacturing Practice, GMP, Guidelines, Data management, DI and GMP Compliance, paper and electronic data, Archive and back up

1. DATA INTEGRITY
In Pharmaceutical Industry

2. Overview
1. Guidelines
2. Principles of DI
3. Data Integrity Risk Assessment (DIRA)
4. Data Criticality and Risk
5. Design Robust Compliance System
6. Data interpretation and Good Documentation Practices (GDocP)

3. Principles of Data Integrity (DI)
1. Data recorded as per GMP requirement and ensuring data is complete, consistent and
accurate throughout the lifecycle i.e paper or electronic
2. Organisational culture, behaviour encouraging to create right environment to
implement effective Data integrity on site
3. Data governance policy should be effectively endorsed at the highest level
4. Data Integrity Risk Assessment (DIRA)
5. Develop system to maintain and control data, periodic DI audit
6. Contingency procedure should not impact on DI controls. Apply to automated
computerized system to paper-based system, vice versa.
7. Holistic approach for any identified DI weakness
8. Notification to regulatory authority where significant DI incident identify.
9. Effectively implementation of ALCOA+

4. Data Integrity Risk Assessment (DIRA)
1. Consider factors impacting on process or function on the system
2. Common factors are: Computerised system, People, SOP, training, Quality system
3. Automated validated system reduce DI risk
4. Human intervention influence on data record, report, retain, verification, poor
systematic control, poor validation plan increase DI risk
5. DI risk remediation action should be documented, discuss and review by Quality
management
6. DI risk remediation actions should categorise by long term and short term. Where
long term action require, short term action has clearly target problem

5. Data Criticality and Risk
1. Critical data influence on Quality, Safety and Efficacy decision
2. Risk of data deletion, amendment, exclusion without authorisation and lost of
traceability
3. Process complexity, inconsistency, inconclusive outcome increase data risk
4. Common data sources are Paper, electronic, Hybrid, other
4.1. Paper Data: Hand written, printed data require second independent verification (risk
reducing measure)
4.2. Electronic: Complexity of the electronic system. Validation of electronic system to
reduce risk e.g. functionality, configuration, user intervention, data lifecycle
4.3. Hybrid: Combination of paper and electronic data.
4.4. Other: photograph, image, photocopy where original copy fade control storage of
data.

6. Design Robust Compliance System
1. Synchronised clock system for traceable time stamp with correct time zone
2. Control over raw data recording and it’s accessibility
3. Use of controlled logbook with number page to prevent recreation of primary data
4. Access control of computerised system to prevent amendment of data, audit trail
5. Use of interface e.g. Barcode scanner, Automated weighing Printer, Badge access
system to eliminate manual entries and reduce human interaction
6. Trained people, validated system
7. Access of record , reconciliation of printouts to Data verification team
8. Promote work environment that provide sufficient time, equipment, clear
instruction
9. SME involvement in Risk assessment, Quality Metrics for DI

7. Design Robust Compliance System
1. Use of scriber to record data should be justifiable
 Contemporaneous recording
 Clearly identify who is performing task
 All involved persons should trained to carry out activity
 Task briefing should be given to all persons involved
 Document should be singed by all persons involved

8. Data Interpretation and GDocP
1. What information are consider as Data
 Original records
 True copies of original records
 Sourced data (Printout from HMI e.g. SIP, CIP, Autocalve, Balance, HPLC, FTIR)
 Metadata
 Reports printouts
 Any information recorded at the time of activity perform
 Data allows to reconstruct and evaluate carried out GxP activity.

9. Data Interpretation and GDocP
 GDocP are those measures that collectively and individually ensure Documentation,
whether paper or electronic are following the principles of ‘ALCOA+’
 Documents use for GMP purpose should comply with GDocP i.e. BMR, logbook,
Specification, SOP, Analytical method, Protocol, Qualification Doc, CofA, TA, PQR
 Document handling procedure i.e Retention, Archiving, Periodic review
ALCOA + (Plus)
Attributable Consistent
Legible Complete
Contemporaneous Enduring
Original Available
Accurate

10. Data Interpretation and GDocP
 ALCOA
Attributable – clear who has capture and
document the data
Legible – readable and stay in permanent
format throughout life cycle
Contemporaneous – recorded at the time
of activity
Original – first recorded data, not ‘True
copy’
Accurate – True representation of Fact
 ALCOA+
Consistent – recorded in same way
Complete – Complete pack of data
including metadata
Enduring – long lasting durable storage
(paper, electronic)
Available – Retrievable and accessible for
review

11. Data Interpretation and GDocP
2. What is Raw data?
 Original report, first captured information and should endure during lifecycle of data
 Raw data could be paper or electronic
 If data capture electronically and print as per requirement then electronic data is a
raw
raw data which can reproduce
 If electronic system does not store data then print out is the raw data
 If electronic system have limited storage capacity then data should be periodically
review and paper copy to keep
 Electronic data storage, back up and periodic review to carry out as per site
procedure

12. Data Interpretation and GDocP
3. What is Metadata?
 Describe the attribute of other data and provide context and meaning.
 It is a part of original data but original data has no meaning if context not provide
by metadata.
4. What is Data Governance?
 Any form of data generation are recorded, processed, retain and available to use
for
data lifecycle.
 Data ownership and accountability
 Data access restriction, handling, encourage reporting of errors, omissions, OOS

13. Data Interpretation and GDocP
5. What is Data lifecycle?
 Data to retain and accessible in original form from generation, recording, use,
retention, archive/retrieval and destruction to ensure DI.
6. Recording data
 Should meet ALCOA+ principles
 Recording methods should be controlled and traceable
7. Data transfer / migration
 Storage media can change without changing the original data
 Storage media, data transfer process should be validated, audit trail availability
 Electronic worksheet should be controlled

14. Data Interpretation and GDocP
8. Data Processing
 Original data should available throughout life cycle
 Data process should not manipulate data to get desirable result e.g. Chromatogram
9. Excluding Data
 Should demonstrate with valid scientific justification and recorded with original data
 Excluded data should retain with throughout lifecycle
10. Original Record
 First source of information cab ne paper, observation, electronic record including
any
supportive data require to re-generate the GxP activity.
 Original record can be static and dynamic

15. Data Interpretation and GDocP
11. True copy
 A verified copy by second person which contains same data, information as
original
copy. This can be paper, electronic and retain throughout the data lifecycle.
12. Computerised system transaction
 It can be single or series of operation to perform the transaction. This can be
perform manually or control by automated system
 Critical steps should perform, record contemporaneously and save before make
any change
 E-signature, audit trail should introduce to capture data even

16. Data Interpretation and GDocP
13. Audit trail
 A form of metadata containing information associated with actions that relate
to creation, modification or deletion of GxP records.
 Secure recording of any type modification of data such as creation, additions,
deletions, alterations e.g. Paper or Electronic
 Audit trail facilitate the reconstruction of historical event during investigation
 System should be risk assessed for clearly identified use access level
 Computerised system should always provide retention of audit trail to review
changes
 Where Audit trail not possible, alternative method should in in place e.g.
logbook
 Audit trail should review periodically, part of data approval by trained reviewer

17. Data Interpretation and GDocP
14. Electronic signature (e-sign)
 Digital form of signature equivalent in legal terms of hand written signature
 Control of e-sign: attributable, no manipulation, legible, security of access by
owner
 Where pdf, paper copy e-sign, metadata should be documented with original
 Method of authentication of e-sign should be risk assess
 Only inserted image , footnote without metadata is not adequate for e-sign

18. Data Interpretation and GDocP
15. Data review and approval
 Should be a SOP to describe review and approve data
 Error should be addressed as per procedure e.g. Comments, Deviation
 Correction, recording, process should follow ALCOA+
 Electronic report should customise to provide all necessary information require
for
review and approval of report and related documents
 If data provided by other organisation, then receiving organise should evaluate
the data
 Data integrity of data supplier and generator
 Clearly identify category of routine and periodic data review

19. Data Interpretation and GDocP
16. Computerised system user access/system administrator roles
 Access as per functionality appropriate to job role
 Company must able to demonstrate regarding user access level
 Individual login require for audit trail to ensure data integrity
 Generic user access should not be used, additional license purchase should be
available
 System not use for GxP purpose but contain GxP data must demonstrate control
over user access
 System admin rights should not conflict interest of data use

20. Data Interpretation and GDocP
17. Data retention
 Data archive , back up procedure and policy should available
 Data retention should ensure to protect data from deliberate, inadvertent
alteration or loss
 Data security should ensure by controlling measure or validate system
 Original/true copy paper data can be stored by validating scanning process
and control storage location
 Data destruction procedure should consider criticality and applicable legislative
retention requirements

21. Data Interpretation and GDocP
18. Archive and back up
 Designated secure area for long term, retention of data and metadata for the
purpose of verification of the process or activity
 Should be protected for any alteration and event like fire, flood, pest
 Should be an arrangement to permit recovery of data, able to perform full
verification
 Virtual system can be use for legacy system which are no longer supported
 If full data migration of original is not achievable, risk based approach in place to
protect data
 Original data pack including metadata configure to maintain for recovery including
disaster recovery
 Backup and recovery process should be validated, periodically tested, functionality
 Back up policy and procedure should be in place
 Back up policy should not affect retention policy

22. Data Interpretation and GDocP
19. File structure
 DI risk assessment should define GxP use, software functionality for intended use,
control and security over generated file
20. Validation for intended purpose
 Comply with regulatory requirement
 Functional verification should be demonstrated
 internal requalification schedule should be available
21. IT supplier and service provider
 For ‘cloud’ and ‘virtual’ service provider ownership, retrieval, retention, data security
should consider
 Impact of law application of geographical location where data are physically stored
 Technical agreement should clearly define responsibilities of contract giver and
acceptor
 Software/system restoration should be made as per GxP

23. Thank you